Message	Id	Version	Qualifiers	Level	Task	Opcode	Keywords	RecordId	ProviderName	ProviderId	LogName	ProcessId	ThreadId	MachineName	UserId	TimeCreated	ActivityId	RelatedActivityId	ContainerLog	MatchedQueryIds	Bookmark	LevelDisplayName	OpcodeDisplayName	TaskDisplayName	KeywordsDisplayNames	Properties
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x8298FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60454 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:25:15 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x8298FD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:25:15 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:51 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:51 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x2BAE2 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	18175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:50 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 1f53764d-bb2c-4332-9e1a-55c79f795840 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	18174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:47 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 1f53764d-bb2c-4332-9e1a-55c79f795840 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\53559d7dacd98b99b5f326c1de4fce40_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	18173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:47 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB1B9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:23 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F7581 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:20 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F7581 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:20 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7F7581 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:20 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:24:20 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7F2D5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:23:29 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7F2D5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60446 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:23:14 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7F2D5B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:23:14 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EFC01 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EFC01 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:25 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EFC01 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:25 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:25 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EBF45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EBF45 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EBF45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EAFF2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB1B9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB1B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB0EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB0EA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB0EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB0A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB0A1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EB0A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EAFF2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-485690452-1089956664-3051426224-329714643 Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7EAFF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CF30C54-6B38-40F7-B011-E1B5D30BA713 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:22:19 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7E7476 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:21:28 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7E7476 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60435 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:21:13 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7E7476 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:21:13 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7E11AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:19:26 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7E11AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60423 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:19:12 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7E11AB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:19:12 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7DB197 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:17:26 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7DB197 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60409 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:17:11 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7DB197 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:17:11 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7D51F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:15:25 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7D51F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60393 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:15:10 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7D51F8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:15:10 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7CE329 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:13:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7CE329 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60375 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:13:09 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7CE329 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:13:09 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7C82E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:11:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7C82E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60371 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:11:09 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7C82E9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:11:09 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7C15E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:09:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7C15E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60359 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:09:08 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7C15E9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:09:08 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B500B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:58 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B17 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:34 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B6FE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:23 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B6FE5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:23 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B6FE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:23 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:23 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B5DEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B5DEB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B5DEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4EBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B500B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B500B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4FAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4FAD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4FAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4F64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4F64 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4F64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4EBD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2765101404-1300373492-1212066968-1808408079 Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7B4EBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4D0195C-1FF4-4D82-98AC-3E480F1ECA6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:22 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B2DEB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60352 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60351 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60353 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B6B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60350 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B4B17 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:18 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7B2DEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60347 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:07 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7B2DEB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:07:07 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7ACEF4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:05:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7ACEF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60337 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:05:06 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7ACEF4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:05:06 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7A6BEC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:03:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7A6BEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60326 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:03:05 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7A6BEC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:03:05 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7A0A75 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:01:19 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7A0A75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60314 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:01:04 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7A0A75 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/28/2021 12:01:04 AM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x793587 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x796F0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x796F0E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x796F0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x794274 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x794274 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x794274 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x793439 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x793587 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x793587 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79352E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79352E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x79352E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7934E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7934E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7934E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x793439 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1286177955-1081237573-1513011328-4036035403 Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x793439 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4CA984A3-6045-4072-80B8-2E5A4B0391F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7912CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7912CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60277 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7912CA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:59:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843A2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784C76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x788931 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x788931 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x788931 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x787670 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x787670 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x787670 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78596A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78596A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78596A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784B2C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784C76 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784C76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784C1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784C1D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784C1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784BD4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784BD4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784BD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784B2C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3399458724-1112486546-230418100-3849087432 Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x784B2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA9F9FA4-3292-424F-B4E6-BB0DC8696CE5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	18017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60260 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843ED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60261 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843E9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60259 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843E8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60258 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7843A2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:58:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77F059 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:57:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x77F059 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60249 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	18004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:57:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77F059 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	18003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:57:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77352F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:56:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x773A77 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7759FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	18000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7759FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7759FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77476F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77476F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77476F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77392F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x773A77 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x773A77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x773A1E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x773A1E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x773A1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7739D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7739D5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7739D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77392F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1462290536-1196103867-930329999-2020481358 Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77392F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5728C868-18BB-474B-8FB5-73374E196E78 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77357F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x773577 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77357F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60239 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77357F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x773574 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x773577 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60238 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x773577 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x773574 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60237 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x773574 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77352F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60236 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x77352F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7706B7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7706B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60235 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7706B7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:55:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x76497A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764EC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x766E2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x766E2E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x766E2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765BC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765BC1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x765BC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764D81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764EC9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764EC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764E70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764E70 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764E70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764E27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764E27 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764E27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764D81 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-820559818-1278655133-974102716-3284517104 Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x764D81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 30E8BFCA-BA9D-4C36-BCA0-0F3AF0C0C5C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649C7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649CE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60225 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649CB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60224 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649CE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60223 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7649C7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x76497A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60222 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x76497A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7630B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7630B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60221 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7630B2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:53:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74E03D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:51:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7587DB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:51:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x7587DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60211 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:50:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x7587DB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:50:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7519BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7519BC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7519BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74ED95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74ED95 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74ED95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DEE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74E03D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74E03D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DFDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DFDD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DFDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DF94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DF94 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DF94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DEE8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1388385916-1185830174-2874491564-2634328841 Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74DEE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 52C1167C-551E-46AE-AC42-55AB09AB049D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744CD5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744B30 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7451A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7470FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7470FA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7470FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F13 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74505C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7451A9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7451A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745150 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745150 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745150 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745107 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745107 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745107 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74505C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1479709800-1193908036-2832952233-3163629807 Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74505C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 58329468-9744-4729-A96B-DBA8EF2891BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D2C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D1B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60201 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D1A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D1B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D2C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60202 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D2C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60200 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744D1A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744CD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60199 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744CD5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:49:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x744B30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60198 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:48:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x744B30 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:48:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73665D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:48:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x739D82 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x739D82 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x739D82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D561 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x737349 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x737349 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x737349 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73650F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73665D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73665D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736604 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736604 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736604 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7365BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7365BB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7365BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73650F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2056749462-1293050333-2019996606-3827331408 Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x73650F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7A978196-61DD-4D12-BEB3-6678507120E4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72DA45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F98F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F98F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F98F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72E7B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72E7B3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72E7B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D8FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72DA45 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72DA45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D9EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D9EC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D9EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D9A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D9A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D9A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D8FD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1457309576-1303041863-3145715337-61850131 Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D8FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56DCC788-D747-4DAA-89CE-7FBB13C2AF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5DA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5CA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60184 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5DA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60185 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5CB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60183 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D5CA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D561 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-801990-5 Source Network Address: 10.222.0.16 Source Port: 60182 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72D561 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72BDCE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:47:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x72BDCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60181 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:46:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x72BDCE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:46:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718CC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:45:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x721283 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4912	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:45:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x721283 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60171 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x721283 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71DA8D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71DA8D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71DA8D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71AC9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71AC9B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71AC9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718B6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718CC8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718CC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718C6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718C6F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718C6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718C25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718C25 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718C25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718B6D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3265705950-1125383516-1722194561-3878792707 Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x718B6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2A6B7DE-FD5C-4313-819A-A66603AE31E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:44:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x71477C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:43:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x71477C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60162 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:42:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x71477C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:42:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x70E7BB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:41:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x70E7BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60150 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x70E7BB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFCB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x703502 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x703502 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x703502 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700A26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700A26 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x700A26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFB69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFCB7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFCB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFC57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFC57 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFC57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFC0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFC0E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFC0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFB69 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-36037892-1315735429-1699041471-3308008637 Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FFB69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0225E504-8785-4E6C-BF50-4565BD342CC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F3A6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:40:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F5F19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F5F19 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F5F19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F476B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F476B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F476B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F391C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F3A6F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F3A6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F3A12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F3A12 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F3A12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F39C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F39C2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F39C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F391C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-622463938-1308596272-3943556516-1184347074 Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F391C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 251A0BC2-9830-4DFF-A4E5-0DEBC2B39746 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7829 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6EDC7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:39:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x6EDC7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60121 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6EDC7C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EB11B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EB11B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6EB11B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8555 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8555 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E8555 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E765B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7829 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7829 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E77C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E77C4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E77C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7711 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7711 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7711 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E765B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4074411693-1242532263-3540166799-3067737852 Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E765B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F2DA96AD-89A7-4A0F-8FA8-02D3FCF6D9B6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6E1E21 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA430 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E49CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E49CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E49CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x6E1E21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60094 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6E1E21 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:38:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DDC4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DDC4D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DDC4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DB19D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DB19D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DB19D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA2DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA430 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA430 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA3D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA3D0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA3D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	4944	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA387 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA387 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA387 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA2DA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-481524547-1292574063-4091480752-2300612813 Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA2DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1CB37B43-1D6F-4D0B-B00A-DFF3CD902089 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6D4C7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:37:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE16D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x6D4C7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60071 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6D4C7F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D00A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D00A1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D00A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CEE50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CEE50 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CEE50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE017 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE16D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE16D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE10D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE10D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE10D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE0C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE0C4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE0C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE017 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2989839081-1240568129-921520831-2503333300 Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6CE017 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B23552E9-9141-49F1-BF4A-ED36B4D53595 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD8FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:36:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA695 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A755D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BE087 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BE087 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BE087 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB3EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB3EB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BB3EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA485 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA695 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA695 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA638 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA638 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA638 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA5E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA5E8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA5E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA485 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2826516673-1149121872-906312121-60642012 Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6BA485 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A87938C1-3550-447E-B939-0536DC529D03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6959CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B3BE5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B3BE5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B3BE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6A6ED8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0657 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0657 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B0657 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AEEBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AEEBD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AEEBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD736 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD8FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD8FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD8A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD8A6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD8A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD85D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD85D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD85D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD736 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4110410216-1244542643-655716995-1304169536 Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6AD736 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4FFE1E8-36B3-4A2E-8372-1527400CBC4D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:35:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69301B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A8331 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A8331 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A8331 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A72E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A755D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A755D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A74D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A74D3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A74D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A7456 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A7456 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A7456 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A72E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907979205-1202971928-368043415-199832251 Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A72E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71B973C5-E518-47B3-97E5-EF15BB32E90B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x6A6ED8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60048 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6A6ED8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6627FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0315 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0315 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A0315 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69BCE7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69BCE7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69BCE7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69879E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69879E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69879E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69704D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69704D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69704D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695803 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6959CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6959CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695976 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695976 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695976 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695926 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695926 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695926 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695803 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2967941312-1298915859-881320100-4151207998 Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x695803 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0E730C0-E213-4D6B-A4E0-87343E686EF7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x693FBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x693FBC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x693FBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692B25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69301B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69301B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692E7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692E7C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692E7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692D0C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692D0C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692D0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692B25 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1165033739-1277854880-1297900673-3584495134 Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x692B25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4571010B-84A0-4C2A-8164-5C4D1E0EA7D5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:34:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A030 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x658484 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B09D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x683766 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x683766 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x683766 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673F4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67BE83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67BE83 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67BE83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AF4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B09D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B09D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B044 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B044 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67B044 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AFFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AFFB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AFFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AF4E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4116888105-1180780586-3827596182-2231953250 Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67AF4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F562BA29-482A-4661-967B-24E462E70885 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677966 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677966 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x677966 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x66CBD3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x674CF3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x674CF3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x674CF3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673DF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673F4A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673F4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673EED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673EED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673EED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673E9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673E9D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673E9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673DF1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167217986-1215321655-2657220797-1738026514 Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x673DF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45925542-5637-4870-BDF8-619E122E9867 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:33:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624AA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66DAFD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66DAFD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66DAFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x66CBD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60033 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x66CBD3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AE3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AE3B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AE3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669EDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A030 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A030 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669FD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669FD7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669FD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669F89 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669F89 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669F89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669EDD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-857831985-1088185492-2541416372-3365991835 Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x669EDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33217A31-6494-40DC-B4EF-7A979BF5A0C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6662C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6662C5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6662C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x663567 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x663567 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x663567 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x662632 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6627FD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6627FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6627A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6627A4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6627A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6626DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6626DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6626DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x662632 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1196318951-1291925678-1279527842-403758302 Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x662632 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 474E60E7-38AE-4D01-A20B-444CDEDC1018 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C98B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F484 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F484 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F484 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6591DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6591DC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6591DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6582BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x658484 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x658484 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6583B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6583B4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6583B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x658368 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x658368 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x658368 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6582BF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1111146596-1262486292-3092230299-2565115378 Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6582BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 423AC064-0314-4B40-9BB0-4FB8F28DE498 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:32:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x651F6E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x651F6E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x651F6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64F0DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64F0DB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64F0DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64D714 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64D714 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64D714 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C843 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C98B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C98B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C932 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C932 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C932 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C8E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C8E9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C8E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C843 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2720683379-1329393871-3375170466-1470190822 Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64C843 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A22A5573-F0CF-4F3C-A203-2DC9E654A157 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:31:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6461A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B1AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x646D75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x646D75 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x646D75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x6461A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60030 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x6461A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6351E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:30:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63B156 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63B156 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63B156 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x638338 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x638338 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x638338 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63507A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6351E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6351E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63517C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63517C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63517C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x635132 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x635132 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x635132 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63507A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-113384703-1166304856-3132325257-410250194 Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63507A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 06C21CFF-6658-4584-897D-B3BAD2EB7318 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x631BFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:29:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x631BFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60021 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x631BFE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EF8A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EF8A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62EF8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62BEAD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62BEAD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62BEAD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B05E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B1AC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B1AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B153 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B153 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B153 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B10A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B10A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B10A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B05E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3187936532-1132754405-996694656-1769163265 Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B05E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BE040D14-75E5-4384-805A-683B014A7369 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62870B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62870B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62870B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x625809 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x625809 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x625809 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62495E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624AA8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624AA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624A4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624A4F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624A4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624A06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624A06 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624A06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62495E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3609858786-1109203874-3449320603-155674661 Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62495E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D72A12E2-1BA2-421D-9B74-98CD25684709 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:28:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC591 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:27:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF838 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:27:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE7E2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:27:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6010F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:27:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x605950 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60A3EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60A3EF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60A3EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608350 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608350 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x608350 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x605950 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60017 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x605950 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x604C7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x604C7D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x604C7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6021B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6021B7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6021B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600C12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6010F8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6010F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FF6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600FF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600ED3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600ED3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600ED3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600C12 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1058460970-1073958397-3188053420-1101834000 Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x600C12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F16D52A-4DFD-4003-ACD5-05BE10A7AC41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60060F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60060F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60060F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF6F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF838 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF838 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF7DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF7DF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF7DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF796 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF796 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF6F1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340384182-1327607239-4266765453-52166255 Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF6F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71A37B6-ADC7-4F21-8DAC-51FE6FFE1B03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FD362 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FD362 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FD362 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC43E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC591 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC591 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC538 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC538 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC538 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC4EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC4EF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC4EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC43E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2879372693-1149386061-1640729232-2564826384 Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FC43E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AB9FBD95-3D4D-4482-908A-CB611025E098 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB648 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F1BB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F1BB2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5F1BB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:26:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D82BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ED3FB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ED3FB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5ED3FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB0C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB648 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB648 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB4B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB4B3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB4B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB32A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB32A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB32A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB0C3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1393944382-1110601828-2664646791-2965933345 Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EB0C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5315E73E-7064-4232-8748-D39E218DC8B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E8B39 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E8B39 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E8B39 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E443C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E443C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E443C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E3867 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E3867 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E3867 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DF57E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DF57E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DF57E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE61E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE7E2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE7E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE789 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE789 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE789 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE6F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE6F7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE6F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE61E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1167071001-1101478631-2201280915-3694484919 Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DE61E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 45901719-3AE7-41A7-93E1-3483B75D35DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBB7B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBB7B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBB7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9011 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9011 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D9011 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D8174 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D82BC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D82BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D8263 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D8263 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D8263 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D821A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D821A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D821A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D8174 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1775728225-1167243433-3415081356-4066824263 Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D8174 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 69D77661-B8A9-4592-8C01-8ECB47D066F2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x5D597B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:25:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x5D597B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60014 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x5D597B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2B7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE91C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CAC70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CAC70 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CAC70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:24:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C68B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C68B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C68B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C39AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C39AE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C39AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2A2F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2B7E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2B7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2B23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2B23 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2B23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2ADA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2ADA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2ADA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2A2F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2008164683-1296310483-1731137680-3153585885 Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2A2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 77B2294B-20D3-4D44-9010-2F67DDE6F7BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7BAC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BB864 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BB864 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BB864 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B8943 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B8943 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B8943 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7A5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7BAC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7BAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7B53 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7B53 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7B53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7B06 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7B06 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7B06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7A5A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2693746515-1306642795-1879349904-751113650 Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B7A5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A08F4F53-C96B-4DE1-909A-0470B215C52C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x5AC8CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:23:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD4B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B1149 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B1149 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B1149 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE2DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE2DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AE2DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD35B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD4B0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD4B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD450 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD450 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD450 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD407 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD407 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD407 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD35B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3664477482-1177923454-1139798405-83011776 Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5AD35B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DA6B7D2A-AF7E-4635-85F1-EF43C0A8F204 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x5AC8CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60007 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x5AC8CB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A33AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A71F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A71F8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A71F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A414E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A414E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A414E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3263 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A33AB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A33AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3352 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3352 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3352 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3309 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3309 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3309 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3263 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2306654709-1222625417-206680243-563397348 Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A3263 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 897CC1F5-C889-48DF-B3B0-510CE4C29421 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597B78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59B88A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59B88A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59B88A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	17003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:22:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59898E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	17002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59898E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	17001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59898E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	17000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597A1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597B78 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597B78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597B18 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597B18 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597B18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597ACB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597ACB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597ACB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597A1F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-270799217-1277068329-1777451192-4207762513 Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x597A1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10241171-8429-4C1E-B8C0-F169515CCDFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DCC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x591A10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x591A10 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x591A10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EB8F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EB8F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EB8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DB7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DCC3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DCC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DC6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DC6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DC6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DC21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DC21 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DC21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DB7C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-79924299-1074984996-3691947172-3368902712 Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58DB7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 04C38C4B-F824-4012-A4A4-0EDC3860CDC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EB7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x583667 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5858C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5858C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5858C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x584411 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x584411 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x584411 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5834C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x583667 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x583667 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58360E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58360E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58360E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5835C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5835C5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5835C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5834C4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4043467202-1240908090-452749198-2639383405 Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5834C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F10269C2-C13A-49F6-8E67-FC1A6DCB519D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569DB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE68F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57646E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57646E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57646E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x573475 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x573475 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x573475 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56FA33 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56FA33 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56FA33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:21:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EA1C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EB7D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EB7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EB1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EB1D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EB1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EAD4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EAD4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EAD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EA1C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2277186058-1146471404-2447675306-247518392 Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56EA1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87BB1A0A-C3EC-4455-AA8F-E491B8D4C00E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x55899C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56D4A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56D4A4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56D4A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56C899 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56C899 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56C899 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AB7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AB7E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x56AB7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569C69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569DB1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569DB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569D58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569D58 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569D58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569D0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569D0F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569D0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569C69 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4090195878-1237646547-407252157-3656806129 Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x569C69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F3CB6FA6-FCD3-49C4-BD2C-4618F16EF6D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55536A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B6AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F451 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F451 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55F451 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55DBE3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55DBE3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55DBE3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55C7E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55C7E5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55C7E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B3AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B6AE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B6AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B58E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B58E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B58E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B460 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B460 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B460 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B3AD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-932100237-1292143817-3641196422-3287736807 Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55B3AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 378EB88D-8CC9-4D04-863F-08D9E7E1F6C3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DEB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x55899C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 60004 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x55899C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x556187 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x556187 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x556187 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555197 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55536A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55536A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5552E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5552E1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5552E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55523E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55523E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55523E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555197 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-43088688-1255534253-4244263565-2278404195 Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x555197 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02917B30-EEAD-4AD5-8D52-FAFC63B0CD87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x550116 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x550116 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x550116 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54ECD3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54ECD3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54ECD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DD6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DEB1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DEB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DE58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DE58 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DE58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DE0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DE0F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DE0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DD6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3526689437-1295819971-936155308-1058333046 Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x54DD6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D235029D-A4C3-4D3C-AC98-CC3776E1143F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F785 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x544961 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x544961 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x544961 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:20:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x540633 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x540633 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x540633 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F62A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F785 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F785 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F72C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F72C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F72C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F6E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F6E3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F6E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F62A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-334893454-1134642427-3689127580-2788831433 Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53F62A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 13F6118E-44FB-43A1-9C9E-E3DBC9303AA6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534FD8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5392A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5392A5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5392A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x535ED7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x535ED7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x535ED7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534E88 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534FD8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534FD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534F7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534F7D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534F7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534F34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534F34 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534F34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534E88 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1622028369-1137764961-2814599050-2159342596 Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534E88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 60AE3051-EA61-43D0-8A5F-C3A704F4B480 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24A14E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DAF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7F89 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517CAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C07F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52091A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52091A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52091A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x518C61 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x518C61 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x518C61 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517B52 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517CAB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517CAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517C4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517C4E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517C4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517BFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517BFE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517BFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517B52 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3410262534-1253414832-3288274838-142907923 Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x517B52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CB447A06-97B0-4AB5-9617-FFC3139A8408 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:19:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB2D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5109CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5109CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5109CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E06E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9F3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5050B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5050B2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5050B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x4F9D5D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5010B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5010B3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5010B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FF6F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FF6F6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FF6F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE510 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE68F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE68F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE636 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE636 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE636 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE5E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE5E6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE5E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE510 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1421263455-1109067608-3847356351-4128909155 Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FE510 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 54B6C25F-0758-421B-BFFF-51E563271AF6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FAFCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FAFCE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FAFCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9DF1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9F3B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9F3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9EE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9EE2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9EE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9E99 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9E99 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9E99 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9DF1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2928505480-1234160012-3650763430-15459215 Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4F9DF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AE8D7288-C98C-498F-A63A-9AD98FE3EB00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x4F9D5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59997 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x4F9D5D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AED5D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DF63 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ECF3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ECF3A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4ECF3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E8F3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E8F3C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E8F3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E1E81 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E1E81 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E1E81 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D0488 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0336 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E06E6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E06E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0529 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0529 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0529 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E04D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E04D4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E04D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0336 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3153371244-1103591694-1932550283-1092257947 Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E0336 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BBF4A06C-790E-41C7-8B60-30739B881A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD03F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD03F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DD03F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB18A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB2D8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB2D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB278 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB278 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB278 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB22F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB22F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB22F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB18A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-267529671-1306785821-691402927-1541778804 Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DB18A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0FF22DC7-F81D-4DE3-AFF8-352974ADE55B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D48D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430DB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE166 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE166 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE166 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA401 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA401 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA401 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44BC69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:18:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C1F3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C1F3C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C1F3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C06A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C07F8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C07F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C079F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C079F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C079F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0753 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0753 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C0753 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C06A3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3336302776-1074099292-2873056444-3324551346 Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C06A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C6DBF0B8-745C-4005-BC5C-3FABB2A028C6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49FBC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B9C8A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B9C8A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B9C8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B20C3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B20C3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B20C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B1B69 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B1B69 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4B1B69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AEC07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AED5D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AED5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AED04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AED04 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AED04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AECB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AECB4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AECB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AEC07 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1787780081-1136480105-732100542-2958522325 Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4AEC07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6A8F5BF1-4F69-43BD-BEF7-A22BD57757B0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4251C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8231 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8231 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A8231 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A5E7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A5E7C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A5E7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0E08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0E08 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A0E08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49F730 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49FBC0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49FBC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49FA74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49FA74 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49FA74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49F8FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49F8FE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49F8FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49F730 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3344295979-1104682117-1641853342-3577376418 Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49F730 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C755E82B-1C85-41D8-9EB1-DC61A26E3AD5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498A74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498A74 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x498A74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45897D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:17:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479D51 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479D51 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479D51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x44C14A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45BEF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45BEF8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45BEF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x444011 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x459F45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x459F45 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x459F45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458078 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45897D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x45897D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4587FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4587FD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4587FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458584 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458584 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458584 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458078 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2523328956-1290825117-1070258337-830014976 Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x458078 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9666F1BC-6D9D-4CF0-A1D8-CA3F00067931 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x452A65 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x452A65 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x452A65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EE7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EE7E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44EE7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4392A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B73A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x44C14A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59993 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x44C14A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44BC69 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44BC69 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44BB76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44BB76 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44BB76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B9CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B9CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B9CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B73A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1736652981-1137710827-3207765674-1739683444 Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x44B73A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 678338B5-16EB-43D0-AA9E-32BF7476B167 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x446769 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x446769 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x446769 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4457D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4457D9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4457D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443E21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x444011 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x444011 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443FB8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443FB8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443FB8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443ED1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443ED1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443ED1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443E21 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4109920522-1310292189-2428266115-942602038 Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443E21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4F8690A-78DD-4E19-8366-BC9036F72E38 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43E4A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43E4A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43E4A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B43E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B43E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B43E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B385 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B385 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B385 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x438F76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4392A5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4392A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43918A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43918A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43918A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4390DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4390DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4390DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x438F76 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-182876874-1178140156-2214375603-3258750205 Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x438F76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0AE67ACA-FDFC-4638-B3B0-FC83FD943CC2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x436E60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x436E60 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x436E60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DD4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DD4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430AAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430DB1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430DB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430C4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430C4A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430C4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430B62 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430B62 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430B62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430AAF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2227552847-1249578267-4019884186-2759806937 Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x430AAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 84C5C24F-0D1B-4A7B-9A90-9AEFD94F7FA4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42F8E2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42F8E2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42F8E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42CEA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D48D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D48D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D383 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D383 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D383 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D0F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D0F0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42D0F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42CEA8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2446322976-1230498470-1181101488-3351695558 Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42CEA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91CFED20-EAA6-4957-B02D-6646C6D0C6C7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42BA1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42BA1D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42BA1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42842F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42842F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42842F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424ED6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4251C5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4251C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4250F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4250F2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4250F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x425039 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x425039 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x425039 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424ED6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1859900496-1309089729-3778426811-2942217845 Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x424ED6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6EDBD450-1FC1-4E07-BB37-36E175AE5EAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419BE1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419BE1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419BE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E455E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EBADF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD8EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD8EB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD8EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD041 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD041 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FD041 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF514 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9783 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9783 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E9783 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E72FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E72FE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E72FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E67C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E67C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E67C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E3E75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E455E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E455E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E426B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E426B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E426B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E40D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E40D2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E40D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E3E75 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2478563132-1083948664-1214498985-443404161 Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E3E75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 93BBDF3C-BE78-409B-A9C8-634881CF6D1A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:16:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E3282 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E3282 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E3282 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DB999 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DB999 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DB999 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1DF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1DF9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1DF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CFF66 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D0488 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D0488 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D0328 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D0328 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D0328 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D01A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D01A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D01A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CFF66 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-922129783-1074181714-217549711-2043185569 Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CFF66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 36F69577-B652-4006-8F8B-F70CA189C879 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE7A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE91C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE91C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE8BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE8BD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE8BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE863 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE863 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE863 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE7A5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1581204550-1144408215-2968829574-3318465374 Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3CE7A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5E3F4446-4897-4436-86BE-F4B05EC3CBC5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F3D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38998F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C4B59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C4B59 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3C4B59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB173 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BDB08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BDB08 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BDB08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC169 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC169 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BC169 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB028 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB173 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB173 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB116 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB116 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB116 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB0CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB0CD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB0CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB028 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3181509887-1096795926-3860987785-1411909629 Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BB028 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BDA1FCFF-C716-415F-89FF-21E6FD072854 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E973 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7F4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7F4F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7F4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B40FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B40FA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B40FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B054F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B054F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B054F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF3C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF514 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF514 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF4BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF4BB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF4BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF472 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF472 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF472 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF3C5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1251564745-1105468495-3262446249-1030387096 Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3AF3C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4A995CC9-1C4F-41E4-A9FA-74C298756A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ABDE1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ABDE1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ABDE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9553 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9553 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A9553 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7A96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7F89 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7F89 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7E30 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7E30 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7E30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7CE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7CE8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7CE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7A96 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2955679866-1092400108-3716796595-3431768559 Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A7A96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B02C187A-B3EC-411C-B3D0-89DDEFA18CCC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DA14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A031F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A031F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A031F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F289 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F3D8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F3D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F37B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F37B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F37B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F332 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F332 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F332 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F289 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3818834875-1239744969-17179037-2516046197 Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F289 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E39ECBBB-01C9-49E5-9D21-060175D1F795 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39D214 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39D214 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39D214 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:15:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384EC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39483A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39483A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39483A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391F90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391F90 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x391F90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3914A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3907A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3907A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3907A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DD1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E973 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E973 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E695 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E695 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E695 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E32D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E32D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38E32D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DD1B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2980964376-1150367284-116619942-2409393529 Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DD1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B1ADE818-3634-4491-A67A-F306796D9C8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D225 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DA14 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38DA14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D774 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D774 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D774 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D5C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D5C7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D5C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D225 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2076912067-1130598977-2467018154-2327251212 Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D225 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7BCB29C3-9241-4363-AAB5-0B930C09B78A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38CE08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38CE08 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38CE08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:53 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AB2D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AB2D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38AB2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38953D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38998F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38998F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x389830 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x389830 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x389830 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3896CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3896CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3896CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38953D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1500887626-1235345452-1710123695-217094662 Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38953D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5975BA4A-E02C-49A1-AF6A-EE65069AF00C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x37F17D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385DB6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385DB6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x385DB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384D72 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384EC2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384EC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E60 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E60 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E60 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E17 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384E17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384D72 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3940712951-1277993815-677697674-1293310107 Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x384D72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EAE281F7-A357-4C2C-8AD8-64289B58164D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34FB8F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x37F17D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59990 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x37F17D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CBFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366D38 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375BE1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375BE1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375BE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x373930 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x373930 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x373930 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37044A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37044A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37044A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBB1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x368DD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x368DD7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x368DD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366BCF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366D38 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366D38 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366CCF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366CCF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366CCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366C7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366C7D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366C7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366BCF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1695851355-1209868587-863165571-4201572256 Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x366BCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6514A35B-212B-481D-83DC-7233A0E76EFA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2046 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x360ECE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x360ECE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x360ECE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FA43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FA43 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35FA43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D1B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DAF8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35DAF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D7C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D7C7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D7C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D592 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D592 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D592 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D1B8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3156425524-1100855630-1562888350-3632913422 Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35D1B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BC233B34-B94E-419D-9EC8-275D0EDC89D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35C70B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CBFE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CBFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CA9C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CA9C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35CA9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35C8C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35C8C9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35C8C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35C70B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2491209373-1213498437-1602438068-3369019046 Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35C70B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 947CD69D-8445-4854-B443-835FA626CFC8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	16004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:17 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E551D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x357D3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	16002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x357D3B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	16001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x357D3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	16000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35146E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35146E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35146E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F85B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34FB8F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34FB8F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F9C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F9C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F9C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F90A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F90A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F90A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F85B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3398175578-1305133815-2747262878-3450580163 Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x34F85B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CA8C0B5A-C2F7-4DCA-9EE7-BFA3C3ACABCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:14:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2F1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3483B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3483B6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3483B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x346734 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x346734 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x346734 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:54 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EB1F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EEDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EEDD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33EEDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:44 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DD96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DF63 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DF63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DED9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DED9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DED9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DE3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DE3B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DE3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DD96 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3256294622-1330167783-1771243705-3100832989 Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33DD96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C2171CDE-BFE7-4F48-B908-9369DDF4D2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:43 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33A741 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33A741 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33A741 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x339C4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x339C4A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x339C4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x337DB5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x337DB5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x337DB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3362E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3362E4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3362E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x335207 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x335207 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x335207 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3348A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3348A9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3348A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32FAA3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32FAA3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32FAA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E712 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EB1F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EB1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EA27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EA27 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32EA27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E907 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E907 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E907 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E712 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-529823587-1112151199-3981170841-37696379 Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32E712 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1F947763-149F-424A-99D8-4BED7B333F02 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32BDF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32BDF9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32BDF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x328ACA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x328ACA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x328ACA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:13:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x222A2F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x309B86 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307606 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x314F7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x314F7E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x314F7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:50 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x312B77 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x312B77 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x312B77 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23148E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x309B86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59982 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x309B86 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3086F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3086F0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3086F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3074B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307606 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x307606 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3075A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3075A6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3075A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30755D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30755D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x30755D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3074B8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-609779747-1145169224-2812005796-3774791391 Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3074B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 24588023-E548-4441-A4CD-9BA7DFBEFEE0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3047EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3047EF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3047EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEE78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEE78 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FEE78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB977 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB977 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FB977 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9DF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9DF6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F9DF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8F6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8F6B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F8F6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5A0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5A0F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5A0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F3A6A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F3A6A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F3A6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F294C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2F1F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2F1F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2E47 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2E47 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2E47 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2C10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2C10 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F2C10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F294C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-533096118-1120334594-3902285188-6821349 Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F294C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1FC666B6-F302-42C6-8425-98E8E5156800 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EE6EE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EE6EE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EE6EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2ED5ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2ED5ED Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2ED5ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB690 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EBADF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EBADF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB9EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB9EC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB9EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB8D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB8D6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB8D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB690 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1020624711-1318855233-2093648569-259301837 Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB690 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3CD57F47-2241-4E9C-B98A-CA7CCDA1740F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB5AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB5AD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB5AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E9809 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E9809 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E9809 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E743E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E743E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E743E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E53D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E551D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E551D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E54C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E54C4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E54C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E547B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E547B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E547B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E53D6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3129275779-1215569817-812109455-2827013195 Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E53D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA84F583-1F99-4874-8FCE-67304BCC80A8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E459C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E459C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E459C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E218C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E218C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E218C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1BF2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2046 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E2046 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1EEB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1EEB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1EEB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1DEF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1DEF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1DEF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1BF2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2723398586-1231569403-184926910-3110291924 Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1BF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A253C3BA-41FB-4968-BEC2-050BD44963B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC99C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC99C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DC99C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB9CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBB1D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBB1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBAC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBAC4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBAC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBA7B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBA7B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DBA7B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB9CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2705124568-1321754276-1674486186-2764442962 Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DB9CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A13CECD8-5EA4-4EC8-AAA1-CE63520DC6A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:12:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D6666 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D6666 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D6666 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB0D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D00D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D00D4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D00D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C43CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C43CE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C43CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200FDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BCC76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BCC76 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BCC76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BAF85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB0D9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB0D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB080 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB080 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB080 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB02B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB02B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BB02B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BAF85 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-896135252-1076003763-3580097184-1028310121 Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BAF85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3569F054-83B3-4022-A0F2-63D569C44A3D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B7F17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B7F17 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B7F17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B60F1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B60F1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B60F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258D34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A0F16 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A0F16 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A0F16 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29EA90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29EA90 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29EA90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2793F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29CB51 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29CB51 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29CB51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C990 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C990 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29C990 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AC09 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AC09 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29AC09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294D4A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294D4A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x294D4A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F745C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290FA9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290FA9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290FA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x2575C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28CBFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28CBFC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28CBFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28B17B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28B17B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28B17B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288FC3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288FC3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288FC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28011A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28011A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28011A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C214 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C214 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C214 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B929 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B929 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27B929 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278C2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2793F4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2793F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27916D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27916D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27916D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278F4C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278F4C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278F4C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278C2B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2021182534-1275301989-1920473791-1892232695 Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278C2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7878CC46-9065-4C03-BF1A-7872F72DC970 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:18 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2651D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272C32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D93 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D3A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272D3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272CE9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272CE9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272CE9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272C32 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3300351832-1156012957-1723108501-254564471 Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x272C32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4B75F58-5B9D-44E7-958C-B46677582C0F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E9F6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E9F6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26E9F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26D7FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26D7FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26D7FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:05 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26CCEC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26CCEC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26CCEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:11:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2696A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2696A9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2696A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266123 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266123 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x266123 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x264FF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2651D1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2651D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2650F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2650F0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2650F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2650A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2650A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2650A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x264FF0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3783384016-1132752134-307332003-768040131 Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x264FF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E181DBD0-6D06-4384-A383-5112C35CC72D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263004 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263004 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263004 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF422 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25A9B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25A9B5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25A9B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228DFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2587BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258D34 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258D34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258BB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258BB7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258BB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258A68 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258A68 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x258A68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2587BE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1708607751-1232442529-3128453798-586608663 Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2587BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65D74907-94A1-4975-A66A-78BA17F0F622 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x2575C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59979 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x2575C6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x254BA2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x254BA2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x254BA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2239E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D784 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D784 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24D784 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249B19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24A14E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24A14E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249ED4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249ED4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249ED4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249DEF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249DEF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249DEF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249B19 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3889369918-1095362386-3117941161-3156641463 Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x249B19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E7D3133E-E752-4149-A901-D8B9B78626BC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E12C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2435E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2435E6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2435E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x241CE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x241CE6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x241CE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23FA22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23FA22 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23FA22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EFD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EFD5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23EFD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23921A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23921A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23921A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239135 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239135 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x239135 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238DEF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238DEF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238DEF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x233DBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x233DBC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x233DBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x232307 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x232307 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x232307 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231347 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23148E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23148E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231435 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231435 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231435 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2313EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2313EC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2313EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231347 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1153881016-1093390690-193484954-1731343930 Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x231347 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44C6D3B8-D162-412B-9A58-880B3A363267 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F5C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F5C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x229F5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228982 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228DFB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228DFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228CE8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228CE8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228CE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228B9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228B9B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228B9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228982 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-597928014-1253376286-102073510-2036840357 Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x228982 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 23A3A84E-011E-4AB5-A684-1506A5B76779 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x227025 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x227025 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x227025 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x225BD9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x225BD9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x225BD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224770 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E78 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224B6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224B6F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224B6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2249FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2249FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2249FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224770 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-119003476-1307177713-1270185119-3449668276 Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224770 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0717D954-F2F1-4DE9-9F7C-B54BB4C29DCD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223631 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2239E4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2239E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223986 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223986 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223986 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2238E7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2238E7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2238E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2237BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2237BE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2237BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223631 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2280810730-1117697865-121950595-3516463596 Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x223631 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 87F268EA-B749-429E-83D1-4407ECF998D1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x222831 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x222A2F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x222A2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2229CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2229CF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2229CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22296C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22296C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22296C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x222831 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-451719468-1307003072-147907202-2379211719 Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x222831 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1AECB12C-48C0-4DE7-82E2-D008C7E3CF8D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA6B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:10:05 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E933C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1D145E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E84BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212446 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212446 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x212446 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208979 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208979 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x208979 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B97 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B97 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B5B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x207B5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2079D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2079D3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2079D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206CBE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206CBE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206CBE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206B80 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206B80 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x206B80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x201E40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:46 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x201E40 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x201E40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:46 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200E95 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200FDC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200FDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200F83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200F83 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200F83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200F3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200F3A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200F3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200E95 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1848070433-1251362744-3215501494-749576372 Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x200E95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6E275121-47B8-4A96-B6A8-A8BFB4A0AD2C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:45 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D40B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:43 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1C6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F828C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F828C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F828C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F7314 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F745C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F745C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F7403 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F7403 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F7403 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F73BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F73BA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F73BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F7314 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-39082847-1329964259-3334123163-3754957070 Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F7314 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 02545B5F-A4E3-4F45-9BAE-BAC60E19D0DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9EDE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9613 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7838 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB0FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB0FD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1EB0FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E9527 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E9527 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E9527 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8EC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E933C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E933C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E91A6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E91A6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E91A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E90D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E90D2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E90D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8EC0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3955262014-1137546308-1416961465-872199199 Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8EC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EBC0823E-9444-43CD-B91D-75541FB4FC33 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8361 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E84BD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E84BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8456 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8456 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8456 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E840D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E840D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E840D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8361 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-402900552-1296661253-5820305-676454815 Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E8361 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1803C648-7B05-4D49-91CF-58009FE15128 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E27A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E27A5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E27A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1178 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E12C2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E12C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1269 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1269 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1269 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E121D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E121D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E121D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1178 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-379057937-1150275525-834683819-2282130319 Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1178 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1697F711-CFC5-448F-AB43-C0318F8B0688 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0328 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0328 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E0328 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF2CC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF422 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF422 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF3C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF3C9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF3C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:08 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF379 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:07 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF379 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF379 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF2CC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-736977035-1278393766-642388919-2214744773 Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DF2CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BED608B-BDA6-4C32-B713-4A26C5520284 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:09:07 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB58A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:52 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB58A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB58A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA569 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA6B0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA6B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA657 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA657 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA657 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA60E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA60E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA60E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA569 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4282786461-1181014970-945038477-3728211197 Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DA569 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FF46229D-DBBA-4664-8D24-5438FDFC37DE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:51 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4F84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4F84 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4F84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D3F6C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D40B3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D40B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D405A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D405A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D405A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4011 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4011 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D4011 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D3F6C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4215020483-1330669542-3639917738-4121912693 Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D3F6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FB3C1BC3-67E6-4F50-AABC-F4D87565AFF5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:41 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D2F27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D2F27 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D2F27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D16AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1C6D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1C6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1ADE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1ADE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1ADE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1970 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1970 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D1970 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D16AF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3233542096-1314512659-3916388514-3986669184 Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D16AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C0BBEFD0-DF13-4E59-A258-6FE980BE9FED Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1D145E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59964 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1D145E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:38 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CC708 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CC708 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CC708 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CAE75 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CAE75 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CAE75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9976 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9EDE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9EDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9D5E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9D5E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9D5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9C1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9C1D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9C1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9976 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2347325013-1108849734-547498930-272876345 Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9976 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8BE95655-B446-4217-B22B-A22039C34310 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C94BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9613 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C9613 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C95B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C95B3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C95B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C956A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C956A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C956A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C94BE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-172558780-1197056294-1047824772-1526306115 Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C94BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0A4909BC-A126-4759-8489-743E4395F95A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C85DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C85DD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C85DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C76E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7838 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7838 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C77DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C77DF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C77DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7796 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7796 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C76E9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1821979802-1293486640-266429312-3444061394 Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C76E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6C99349A-0A30-4D19-8063-E10FD23448CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:08:24 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3EDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1B46E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D545 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1B46E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0DF947FB-5ADF-F372-14CC-29B24DFCB29A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59924 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1B46E8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x198244 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1994D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD242D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9267 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D396 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D335 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D2C4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CD46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CD03 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CCB1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C83D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C80F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C7A3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15BA6A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15BA55 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15B9FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125773 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12575E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125747 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1256B5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1256A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1254C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12567C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1254B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125498 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12507A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125065 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12504E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D49D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F7D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CE0A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C914 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F68 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C12C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15BAB6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F51 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125799 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125553 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F40 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1254F2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125276 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124FB4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:06:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D7C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4D56 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4D56 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4D56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3D87 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3EDD Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3EDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E84 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E84 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E34 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3D87 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3778523385-1075551105-3003741602-786845572 Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3D87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E137B0F9-9B81-401B-A275-09B3844FE62E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C1AA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19CE3E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19CE3E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19CE3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19A3F0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:32 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19A3F0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19A3F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:32 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19937C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1994D7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1994D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199477 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199477 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199477 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199422 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199422 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x199422 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19937C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3359907277-1261571504-3077384890-2233282098 Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19937C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C8441DCD-0DB0-4B32-BA2A-6DB7322E1D85 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1980E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x198244 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x198244 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1981EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1981EB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1981EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1981A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1981A1 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1981A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1980E6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-215879076-1256864903-1035954838-2072005063 Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1980E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CDE0DA4-3C87-4AEA-966A-BF3DC749807B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F2A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x193F22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x193F22 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x193F22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192C13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192C13 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x192C13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191D2F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	15003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E76 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	15002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	15001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	15000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E1D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191E1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191DD4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191DD4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191DD4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191D2F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-554363861-1307900364-2189433996-25683858 Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x191D2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 210AEBD5-F9CC-4DF4-8C1C-808292E78701 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x189673 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B814 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B814 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18B814 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:16 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A4A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A4A7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18A4A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18950A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x189673 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x189673 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18961A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18961A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18961A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1895AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1895AF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1895AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18950A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1116735573-1208325900-2750473888-3693042934 Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18950A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42900855-970C-4805-A0E6-F0A3F65C1FDC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:14 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DBDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:05:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F72C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17FA4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17FA4F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17FA4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D671 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D7C7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D7C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D76E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D76E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D76E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D71E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D71E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D71E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D671 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2864421648-1098724757-1952517252-401676739 Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x17D671 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AABB9B10-3595-417D-840C-6174C319F117 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x14FD26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F293 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F293 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16F293 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E1CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E1CA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E1CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BA27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CD9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C1AA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C1AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BFB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BFB7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BFB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BE19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BE19 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BE19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BA27 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2274523387-1252925854-3396970139-4077981595 Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16BA27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 879278FB-219E-4AAE-9BA6-79CA9B0F11F3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131942 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:41 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15D49D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D49D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15D396 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D396 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15D335 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D335 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15D2C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15D2C4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15CE0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CE0A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15CD46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CD46 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15CD03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CD03 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15CCB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15CCB1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15C914 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C914 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15C83D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C83D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15C80F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C80F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15C7A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C7A3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15C12C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15C12C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15BAB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15BAB6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15BA6A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15BA6A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15BA55 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15BA55 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x15B9FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x15B9FF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1578D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1578D8 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1578D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x156C4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x156C4E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x156C4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1549AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1549AB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1549AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x14FD26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59878 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x14FD26 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:28 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14EAB6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14EAB6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14EAB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:27 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DA5D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DBDC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DBDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DB7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DB7C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DB7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DB33 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DB33 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DB33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DA5D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1277078823-1161871785-3455788179-3144068764 Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14DA5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4C1EAD27-C1A9-4540-9324-FBCD9CAE66BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14A5D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14A5D7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14A5D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:19 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0964 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142005 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142005 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x142005 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F8BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F8BE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13F8BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E4F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E4F9 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E4F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:13 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D3DC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D545 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D545 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D4EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D4EC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D4EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D481 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D481 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D481 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D3DC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3942658733-1273830947-3344744360-2778697869 Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13D3DC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EB0032AD-1E23-4BED-A8BF-5CC78D909FA5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13BCA0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13BCA0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13BCA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101882 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132E00 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132E00 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132E00 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13220F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13220F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13220F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13155C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131942 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131942 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131845 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131845 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x131845 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1316E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1316E0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1316E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13155C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4108386780-1312520338-3329574795-2061317361 Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13155C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F4E101DC-7892-4E3B-8B47-75C6F134DD7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E889 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:04 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E889 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12E889 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:04 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12C9B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CD9B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CD9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CC33 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CC33 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CC33 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CAB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CAB2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12CAB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12C9B4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-569321292-1198236963-3720640154-425164606 Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12C9B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 21EF274C-A523-476B-9A76-C4DD3E7F5719 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12986D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12986D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12986D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:04:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x10C8FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:57 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x125799 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125799 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x125773 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125773 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x12575E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12575E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x125747 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125747 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1256B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1256B5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1256A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1256A0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x12567C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12567C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x125553 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125553 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1254F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1254F2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1254C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1254C8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1254B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x1254B3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x125498 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125498 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x125276 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125276 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x12507A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12507A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x125065 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x125065 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x12504E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x12504E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x124FB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59861 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124FB4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x124F7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F7D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x124F68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F68 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x124F51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F51 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x124F40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F40 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x124F2A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59859 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x124F2A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:55 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFACF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121234 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121234 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x121234 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F5BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F72C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F72C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F6C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F6C6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F6C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F677 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F677 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F677 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F5BE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2334414733-1094723550-157947572-3761300272 Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11F5BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8B24578D-27DE-4140-B416-6A0930E330E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:48 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A4CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:37 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A4CE Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11A4CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:37 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1178C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1178C4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1178C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:36 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10ED64 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:31 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10ED64 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10ED64 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:31 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x10C8FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59844 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0x10C8FF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102605 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102605 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x102605 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101737 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101882 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101882 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101829 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101829 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101829 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1017E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1017E0 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1017E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101737 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-642535338-1251051420-467826608-4035160592 Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101737 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 264C4FAA-879C-4A91-B077-E21B10AA83F0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:25 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFADA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFADA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFFADA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:20 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC91A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC9115 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2897 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBA48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBA48 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBA48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFABA6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFACF4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFACF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFAC9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFAC9B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFAC9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFAC52 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFAC52 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFAC52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFABA6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-735636900-1206868210-911367314-3771978925 Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFABA6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2BD8EDA4-58F2-47EF-925C-5236ADD4D3E0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xE485D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9321 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9321 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9321 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD755C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD9298 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF26F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF26F2 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF26F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:01 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF01FF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0964 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0964 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF06D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF06D6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF06D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0505 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0505 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF0505 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF041E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF041E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF041E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF01FF Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-93562369-1220922903-3293094307-821630943 Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF01FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0593A601-CE17-48C5-A3A1-48C4DF17F930 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:03:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA25D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA25D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEA25D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8184 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8184 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE8184 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xE485D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59816 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xE485D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE3B3B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE3B3B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE3B3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE274F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2897 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE2897 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE283E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE283E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE283E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE27F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE27F5 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE27F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE274F Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3489689198-1085350479-2317744822-3447179637 Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE274F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0006E6E-224F-40B1-B6FA-258A75C977CD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE027E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE027E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE027E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDCB07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDCB07 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDCB07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA62B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA62B Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDA62B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8E3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0xCA18F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0xC9E3D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8F24 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD9148 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD9298 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD9298 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD923D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD923D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD923D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD91F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD91F4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD91F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD9148 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073889795-1272380451-4254491574-3035283034 Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD9148 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9D0C03-FC23-4BD6-B663-96FD5ABEEAB4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:26 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD826E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD826E Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD826E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7407 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD755C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD755C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD74FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD74FC Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD74FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD74B3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD74B3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD74B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7407 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-826596208-1140061985-3110398639-2749552599 Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD7407 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3144DB70-F721-43F3-AFEA-64B9D7D7E2A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:23 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC923F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD242D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD242D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:15 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC28DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:13 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xCE3EC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xCE3EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xCE3EC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCE127 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCE127 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCE127 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCDEE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCDEE4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCDEE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:12 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0xCA1C6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0xCA1E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0xCA1D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xCA1E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {94DF6487-E79C-8D2F-80B7-4A4C6806C5B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59790 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xCA1D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {94DF6487-E79C-8D2F-80B7-4A4C6806C5B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59789 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xCA1C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {94DF6487-E79C-8D2F-80B7-4A4C6806C5B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59788 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xCA18F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {94DF6487-E79C-8D2F-80B7-4A4C6806C5B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59786 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC9E3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {94DF6487-E79C-8D2F-80B7-4A4C6806C5B8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59786 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0xC9322 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:11 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-1105 Account Name: N-H2-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC9322 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {E24AEA2C-F575-7733-E6BB-6ACE9179112D} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC92BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC92BA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC92BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9267 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1155195136-1210895098-907024772-3863732294 Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC9267 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 44DAE100-CAFA-482C-8419-103646E04BE6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC923F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC923F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC91A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59797 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC91A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC9115 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59797 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC9115 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC90DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59794 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90DE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC90C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59794 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90C9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC90B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59794 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90B2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC90A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59794 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC90A1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC8F24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59792 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8F24 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8EF2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8EE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8F04 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC8F04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59790 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8F04 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC8EF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59789 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8EF2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC8EE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59788 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8EE1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon ID: 0xC8E3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A46C8E0D-3EB8-79D5-9392-E5FF6FCC9981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.16 Source Port: 59786 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: Administrator Account Domain: CBCI-801990-5 Logon ID: 0xC8E3D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:10 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC77D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:09 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC77D3 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC77D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:02:09 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC37E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC37E6 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC37E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2726 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC28DA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC28DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2814 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2814 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2814 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC27CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC27CB Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC27CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2726 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1221205794-1307274001-1787226013-2899950664 Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC2726 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 48CA1F22-6B11-4DEB-9DE7-866A48BCD9AC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACF7D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA3A7A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:44 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB5224 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:42 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB5224 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB5224 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:42 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB2CEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:40 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB2CEA Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB2CEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:40 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAE321 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAE321 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xAE321 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACE25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACF7D Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACF7D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACF24 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACF24 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACF24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACED4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACED4 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACED4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:35 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACE25 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1928665712-1290050681-1885960323-546507225 Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xACE25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 72F51A70-9C79-4CE4-8378-6970D9099320 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:34 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA5F20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA5F20 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA5F20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA2AD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA3A7A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA3A7A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA358A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA358A Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA358A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA336C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA336C Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA336C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA2AD7 Privileges: SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4223272319-1302903727-2772433566-3818926660 Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xA2AD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FBBA057F-BBAF-4DA8-9EFA-3FA54432A0E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:01:33 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:00:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:00:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 11:00:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x2BAE2 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xed8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:59:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:59:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: administrator Account Domain: CBCI-801990-5 Logon ID: 0x6CFA1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: administrator Account Domain: CBCI-801990-5 Logon ID: 0x6CFA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0BE8D1C9-1B6F-A2B0-114E-2DBC01AB3403} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-801990-5 Logon GUID: {0BE8D1C9-1B6F-A2B0-114E-2DBC01AB3403} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:52 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:49 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: administrator Account Domain: CBCI-801990-5 Logon ID: 0x5569C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2058359922-905022242-888175903-500 Account Name: administrator Account Domain: CBCI-801990-5 Logon ID: 0x5569C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {0EAEC531-5C2B-425C-DA4C-0D1154D75B7F} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-801990-5 Logon GUID: {0EAEC531-5C2B-425C-DA4C-0D1154D75B7F} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:47 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x4FED6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x4FED6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CC11250F-055F-505F-194D-A2068D3D34CC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x4FED6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon GUID: {E5C4F14B-CC3D-7466-1C78-60F19BFEAA9F} Target Server: Target Server Name: n-h1-801990-5$ Additional Information: n-h1-801990-5$ Process Information: Process ID: 0x119c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x4E522 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x4E522 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F80103B-0759-ACD3-1927-690FAE805586} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x4E522 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:39 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x42571 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x42571 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B14FFBC5-B8FA-21D6-37CF-4329E78F775C} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x42571 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon GUID: {0C38721D-2CEA-28C4-A509-E6F58DF162D3} Target Server: Target Server Name: n-h1-801990-5$ Additional Information: n-h1-801990-5$ Process Information: Process ID: 0x1074 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:30 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x40528 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:29 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x40528 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F80103B-0759-ACD3-1927-690FAE805586} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x40528 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:29 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x398FF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:22 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x398FF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {95273AEC-80F4-C80B-99FE-988BB5057C09} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x398FF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon GUID: {AE00C10D-1419-F19C-0FC1-DEB3F9D69B55} Target Server: Target Server Name: n-h1-801990-5$ Additional Information: n-h1-801990-5$ Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:22 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x2BAE2 Account Modified: Account Name: S-1-5-21-2058359922-905022242-888175903-500 Access Granted: Access Right: SeServiceLogonRight	4717	0		0	13569	0	-9214364837600034816	14367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:21 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2BCA5 Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: \Device\HarddiskVolume1\Windows\System32\aepic.dll	6281	0		0	12290	0	-9218868437227405312	14365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: \Device\HarddiskVolume1\Windows\System32\aepic.dll	6281	0		0	12290	0	-9218868437227405312	14364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:11 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2BCA5 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2BCA5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0003-256c-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5	4724	0		0	13824	0	-9214364837600034816	14355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 7/27/2021 10:58:06 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD User: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Process Information: Process ID: 0xb14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD User: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Process Information: Process ID: 0xb14 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x2BAE2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x2BAE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x45c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x45c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0000-336c-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 1f53764d-bb2c-4332-9e1a-55c79f795840 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 1f53764d-bb2c-4332-9e1a-55c79f795840 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\53559d7dacd98b99b5f326c1de4fce40_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	856	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:06 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x25911 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:03 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x25911 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD5B8B54-DFC9-1595-BD91-B7B0365502E4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x25911 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9bc Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:03 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Domain: Domain Name: N-H1-801990-5 Domain ID: S-1-5-21-974630955-967650509-2398959516 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	14336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:02 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x1CF20 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1CF20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CD5B8B54-DFC9-1595-BD91-B7B0365502E4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x1CF20 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x1C24C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5.LOCAL Logon ID: 0x1C24C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5F80103B-0759-ACD3-1927-690FAE805586} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x1C24C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:58:00 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	14324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2164	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x16AC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	864	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x150AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0000-136c-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x45c Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x45c Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5a8 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	2180	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	14302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	504	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:59 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x590 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	896	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x60 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?07?-?27T22:57:58.085066600Z New Time: ?2021?-?07?-?27T22:57:58.066000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	360	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	900	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:58 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	904	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBEEB Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	14280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBEC0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBEEB Linked Logon ID: 0xBEC0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xBEC0 Linked Logon ID: 0xBEEB Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:57 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: CBCI-801990-5 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	892	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:56 PM	d2106bf8-833a-0002-f96b-10d23a83d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x6516	4902	0		0	13568	0	-9214364837600034816	14271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	868	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:56 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	828	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	14269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	824	828	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x338 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	360	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	184	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:55 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	184	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	184	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a0 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	184	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	184	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:54 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	224	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	224	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:53 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	184	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:51 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	184	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	14258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	14257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5.cbci-801990-5.local		7/27/2021 10:57:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x594 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?07?-?27T22:57:39.204483500Z New Time: ?2021?-?07?-?27T22:57:39.190000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	388	n-h1-801990-5		7/27/2021 10:57:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x5CBE45 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x5CBE45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	14251	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1420	1520	n-h1-801990-5		7/27/2021 10:57:39 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Member: Security ID: S-1-5-21-2058359922-905022242-888175903-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	2204	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Member: Security ID: S-1-5-21-2058359922-905022242-888175903-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	2204	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	2204	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	3548	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: LDAP/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.42 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	2204	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {6B01E740-1A4D-5129-9E31-11986345F251} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: ldap/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	2204	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-801990-5.LOCAL Logon GUID: {6B01E740-1A4D-5129-9E31-11986345F251} Target Server: Target Server Name: n-ad-801990-5.cbci-801990-5.local Additional Information: cifs/n-ad-801990-5.cbci-801990-5.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.42 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	2204	n-h1-801990-5		7/27/2021 10:57:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8f0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:57:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:40:44 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:40:44 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:30:11 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:30:11 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Process Information: Process ID: 0x338 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:30:06 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Process Information: Process ID: 0x430 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:30:05 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Process Information: Process ID: 0xc40 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0		0	13824	0	-9214364837600034816	14231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:30:05 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:28:15 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x14E8F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:28:15 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:28:15 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:28:15 PM	1f41a18f-8336-0005-56a5-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x13D258 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:10 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x13D258 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:10 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:10 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:10 PM	1f41a18f-8336-0001-f4a4-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x138720 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:07 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x138720 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:07 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:07 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:28:07 PM	1f41a18f-8336-0004-aba4-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:28:00 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:28:00 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:27:59 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:27:59 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:27:55 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:27:55 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xADE26 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-500 Account Name: Administrator Account Domain: N-H1-801990-5	4724	0		0	13824	0	-9214364837600034816	14212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:27:29 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xADE26 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-500 Account Name: Administrator Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 7/27/2021 10:27:29 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:27:29 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xADE26 User: Security ID: S-1-5-21-974630955-967650509-2398959516-500 Account Name: Administrator Account Domain: N-H1-801990-5 Process Information: Process ID: 0xde4 Process Name: C:\Windows\System32\net1.exe	4798	0		0	13824	0	-9214364837600034816	14210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:27:29 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xADE26 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xb64 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0		0	13826	0	-9214364837600034816	14209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:27:17 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Write persisted key to file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016	5061	0		0	12290	0	-9218868437227405312	14201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:26:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:55 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:55 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: \Device\HarddiskVolume1\Windows\System32\aepic.dll	6281	0		0	12290	0	-9218868437227405312	14192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	3784	n-h1-801990-5		7/27/2021 10:25:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: \Device\HarddiskVolume1\Windows\System32\aepic.dll	6281	0		0	12290	0	-9218868437227405312	14191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	3504	n-h1-801990-5		7/27/2021 10:25:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xADE26 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:40 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xADE26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:40 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:40 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:40 PM	1f41a18f-8336-0000-23a2-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:38 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x594 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?07?-?27T22:25:36.458658800Z New Time: ?2021?-?07?-?27T22:25:36.445000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	2316	n-h1-801990-5		7/27/2021 10:25:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xAA060 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xAA060 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:30 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0xAA060 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:30 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:30 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:30 PM	1f41a18f-8336-0004-6fa2-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 1f53764d-bb2c-4332-9e1a-55c79f795840 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:29 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 1f53764d-bb2c-4332-9e1a-55c79f795840 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\53559d7dacd98b99b5f326c1de4fce40_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:25:29 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5	4724	0		0	13824	0	-9214364837600034816	14175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:27 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 7/27/2021 10:25:27 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:27 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Process Information: Process ID: 0xc18 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:27 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Process Information: Process ID: 0xc18 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:27 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Process Information: Process ID: 0xc18 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:27 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:22 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:22 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Process Information: Process ID: 0xc18 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:22 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Member: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0		0	13826	0	-9214364837600034816	14167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x92796 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0		0	12545	0	-9214364837600034816	14166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:20 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Logon ID: 0x92796 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xc18 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:19 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xc18 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:19 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:19 PM	1f41a18f-8336-0003-06a2-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5	4724	0		0	13824	0	-9214364837600034816	14161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:14 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 7/27/2021 10:25:14 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:14 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5	4722	0		0	13824	0	-9214364837600034816	14159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:14 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 New Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: Admin Account Domain: N-H1-801990-5 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -	4720	0		0	13824	0	-9214364837600034816	14158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:14 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Member: Security ID: S-1-5-21-974630955-967650509-2398959516-1001 Account Name: - Group: Security ID: S-1-5-21-974630955-967650509-2398959516-513 Group Name: None Group Domain: N-H1-801990-5 Additional Information: Privileges: -	4728	0		0	13826	0	-9214364837600034816	14157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:25:14 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:49 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x53F70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xedc Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:49 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:49 PM	1f41a18f-8336-0001-aca2-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5	4724	0		0	13824	0	-9214364837600034816	14153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:49 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 7/27/2021 10:24:49 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:49 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Process Information: Process ID: 0xedc Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:49 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Process Information: Process ID: 0xedc Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	14150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:49 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:48 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:48 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H1-801990-5 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x228 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4625	0		0	12544	0	-9218868437227405312	14147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:47 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-974630955-967650509-2398959516-500 Account Name: Administrator Account Domain: N-H1-801990-5 Process Information: Process ID: 0xfcc Process Name: C:\Windows\System32\LogonUI.exe	4798	0		0	13824	0	-9214364837600034816	14146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:47 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:43 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\vmms.exe	4799	0		0	13826	0	-9214364837600034816	14144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:43 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:43 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:43 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:41 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:41 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:41 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:41 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:41 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:40 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:40 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:40 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_711750cc-f295-4fd6-b6f9-60fe4b7fef69 Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:40 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:39 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon ID: 0x2B2D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-801990-5 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:39 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-801990-5 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	14130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:39 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-801990-5 Error Code: 0x0	4776	0		0	14336	0	-9214364837600034816	14129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:39 PM	1f41a18f-8336-0002-c3a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0		0	12292	0	-9214364837600034816	14128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0		0	12290	0	-9214364837600034816	14125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0		0	12292	0	-9214364837600034816	14124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:38 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	14119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:37 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x20EEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:36 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	14106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801990-5		7/27/2021 10:24:36 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x530 Process Name: C:\Windows\System32\svchost.exe	4799	0		0	13826	0	-9214364837600034816	14102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\VSSVC.exe	4799	0		0	13826	0	-9214364837600034816	14094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	856	n-h1-801990-5		7/27/2021 10:24:35 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x58c Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?07?-?27T22:24:34.747497100Z New Time: ?2021?-?07?-?27T22:24:35.029000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	14089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5		7/27/2021 10:24:35 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x5e4 Process Information: Process ID: 0x508 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0		0	13568	0	-9214364837600034816	14086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	32	n-h1-801990-5		7/27/2021 10:24:34 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	14082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:34 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-974630955-967650509-2398959516-513 Group Name: None Group Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -	4737	0		0	13826	0	-9214364837600034816	14081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-513 Account Domain: N-H1-801990-5 Old Account Name: None New Account Name: None Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-974630955-967650509-2398959516-513 Group Name: None Group Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4737	0		0	13826	0	-9214364837600034816	14079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-503 Account Name: DefaultAccount Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-503 Account Name: DefaultAccount Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-501 Account Name: Guest Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-501 Account Name: Guest Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-500 Account Name: Administrator Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-500 Account Name: Administrator Account Domain: N-H1-801990-5 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	14073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -	4781	0		0	13824	0	-9214364837600034816	14002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0		0	13826	0	-9214364837600034816	14001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	n-h1-801990-5		7/27/2021 10:24:32 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	14000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:21 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:21 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5B6 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	13992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5A4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5B6 Linked Logon ID: 0xB5A4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5A4 Linked Logon ID: 0xB5B6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	13988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:20 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:19 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	904	n-h1-801990-5		7/27/2021 10:24:19 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:24:19 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-801990-5$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	n-h1-801990-5		7/27/2021 10:24:19 PM	1f41a18f-8336-0005-94a1-411f3683d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x61E6	4902	0		0	13568	0	-9214364837600034816	13983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	872	n-h1-801990-5		7/27/2021 10:24:19 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	n-h1-801990-5		7/27/2021 10:24:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	13981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	n-h1-801990-5		7/27/2021 10:24:18 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	n-h1-801990-5		7/27/2021 10:24:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	n-h1-801990-5		7/27/2021 10:24:17 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	388	n-h1-801990-5		7/27/2021 10:24:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	388	n-h1-801990-5		7/27/2021 10:24:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	388	n-h1-801990-5		7/27/2021 10:24:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	388	n-h1-801990-5		7/27/2021 10:24:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5		7/27/2021 10:24:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5		7/27/2021 10:24:15 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	316	n-h1-801990-5		7/27/2021 10:24:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5		7/27/2021 10:24:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5		7/27/2021 10:24:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	13969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	n-h1-801990-5		7/27/2021 10:24:12 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5c4 Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?07?-?27T22:24:02.294140900Z New Time: ?2021?-?07?-?27T22:24:02.287000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	472	WIN-5T344G8GM1H		7/27/2021 10:24:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	13967	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1292	1536	WIN-5T344G8GM1H		7/27/2021 10:24:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:57 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:57 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H	4724	0		0	13824	0	-9214364837600034816	13964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:42 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 7/27/2021 10:23:42 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:42 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa08 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	13962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:42 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-974630955-967650509-2398959516-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa08 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0		0	13824	0	-9214364837600034816	13961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:42 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x34c Process Information: Process ID: 0x490 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0		0	13568	0	-9214364837600034816	13960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	596	WIN-5T344G8GM1H		7/27/2021 10:23:16 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:08 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:08 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0		0	12292	0	-9214364837600034816	13957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:04 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x634AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:03 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0		0	12292	0	-9214364837600034816	13945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:23:02 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:02 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:02 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:02 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:02 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x50c Name: C:\Windows\System32\svchost.exe Previous Time: ?2021?-?07?-?27T22:23:00.739608700Z New Time: ?2021?-?07?-?27T22:23:01.925000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	592	WIN-5T344G8GM1H		7/27/2021 10:23:01 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:00 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	864	WIN-5T344G8GM1H		7/27/2021 10:23:00 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:00 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:23:00 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:52 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:52 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:52 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:52 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x576B5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0		0	12548	0	-9214364837600034816	13929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5760C Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x576B5 Linked Logon ID: 0x5760C Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5760C Linked Logon ID: 0x576B5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0		0	12544	0	-9214364837600034816	13925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	908	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	908	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	912	WIN-5T344G8GM1H		7/27/2021 10:22:51 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	872	WIN-5T344G8GM1H		7/27/2021 10:22:50 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x330 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	872	WIN-5T344G8GM1H		7/27/2021 10:22:50 PM	e0cff10c-8335-0005-12f1-cfe03583d701		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5005B	4902	0		0	13568	0	-9214364837600034816	13918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	880	WIN-5T344G8GM1H		7/27/2021 10:22:50 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	836	WIN-5T344G8GM1H		7/27/2021 10:22:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0		0	12288	0	-9214364837600034816	13916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	832	836	WIN-5T344G8GM1H		7/27/2021 10:22:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x340 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c0 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:49 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x25c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a8 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:48 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x268 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x25c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	588	WIN-5T344G8GM1H		7/27/2021 10:22:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x25c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	588	WIN-5T344G8GM1H		7/27/2021 10:22:47 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	240	WIN-5T344G8GM1H		7/27/2021 10:22:30 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	WIN-5T344G8GM1H		7/27/2021 10:22:28 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2		0	13312	0	-9214364837600034816	13904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0		0	13573	0	-9214364837600034816	13903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H		7/27/2021 10:22:27 PM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1		0	12288	0	-9214364837600034816	13902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1980	WIN-5T344G8GM1H		1/19/2018 9:48:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0		4	103	0	4620693217682128896	13901	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1144	WIN-5T344G8GM1H		1/19/2018 9:48:13 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.	4647	0		0	12545	0	-9214364837600034816	13900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:48:12 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H		1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H		1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H		1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H		1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	13895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H	4724	0		0	13824	0	-9214364837600034816	13893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0		0	13824	0	-9214364837600034816	13892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -	4739	0		0	13569	0	-9214364837600034816	13891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe	4798	0		0	13824	0	-9214364837600034816	13890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0		0	12548	0	-9214364837600034816	13889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2		0	12544	0	-9214364837600034816	13888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E3	1102	0		4	104	0	4620693217682128896	13887	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1136	WIN-5T344G8GM1H		1/19/2018 9:47:33 AM			security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Log clear	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]